Before this patch the client/server cert/key fields were
just filepaths that told the nvmeof gw daemon where to look
for the cert/key. There's not much reason why users would
care where in the nvmeof gw container the cert goes. It's more
useful to use these fields as a way to pass the certs/keys
to the daemon and then just hardcode where in the container
we'll place the certs/keys
Signed-off-by: Adam King <adking@redhat.com>
(cherry picked from commit
e9fca39092348e6c08022341116875e831c175f0)
mounts[log_dir] = '/var/log/ceph:z'
return mounts
+ def _get_tls_cert_key_mounts(
+ self, data_dir: str, files: Dict[str, str]
+ ) -> Dict[str, str]:
+ mounts = dict()
+ for fn in ['server_cert', 'server_key', 'client_cert', 'client_key']:
+ if fn in files:
+ mounts[
+ os.path.join(data_dir, fn)
+ ] = f'/{fn.replace("_", ".")}'
+ return mounts
+
def customize_container_mounts(
self, ctx: CephadmContext, mounts: Dict[str, str]
) -> None:
data_dir = self.identity.data_dir(ctx.data_dir)
log_dir = os.path.join(ctx.log_dir, self.identity.fsid)
mounts.update(self._get_container_mounts(data_dir, log_dir))
+ mounts.update(self._get_tls_cert_key_mounts(data_dir, self.files))
def customize_container_binds(
self, ctx: CephadmContext, binds: List[List[str]]
daemon_spec.keyring = keyring
daemon_spec.extra_files = {'ceph-nvmeof.conf': gw_conf}
+
+ if spec.enable_auth:
+ if (
+ not spec.client_cert
+ or not spec.client_key
+ or not spec.server_cert
+ or not spec.server_key
+ ):
+ self.mgr.log.error(f'enable_auth set for {spec.service_name()} spec, but at '
+ 'least one of server/client cert/key fields missing. TLS '
+ f'not being set up for {daemon_spec.name()}')
+ else:
+ daemon_spec.extra_files['server_cert'] = spec.server_cert
+ daemon_spec.extra_files['client_cert'] = spec.client_cert
+ daemon_spec.extra_files['server_key'] = spec.server_key
+ daemon_spec.extra_files['client_key'] = spec.client_key
+
daemon_spec.final_config, daemon_spec.deps = self.generate_config(daemon_spec)
daemon_spec.deps = []
return daemon_spec
id = {{ rados_id }}
[mtls]
-server_key = {{ spec.server_key }}
-client_key = {{ spec.client_key }}
-server_cert = {{ spec.server_cert }}
-client_cert = {{ spec.client_cert }}
+server_key = /server.key
+client_key = /client.key
+server_cert = /server.cert
+client_cert = /client.cert
[spdk]
tgt_path = {{ spec.tgt_path }}
#: ``bdevs_per_cluster`` number of bdevs per cluster
self.bdevs_per_cluster = bdevs_per_cluster
#: ``server_key`` gateway server key
- self.server_key = server_key or './server.key'
+ self.server_key = server_key
#: ``server_cert`` gateway server certificate
- self.server_cert = server_cert or './server.crt'
+ self.server_cert = server_cert
#: ``client_key`` client key
- self.client_key = client_key or './client.key'
+ self.client_key = client_key
#: ``client_cert`` client certificate
- self.client_cert = client_cert or './client.crt'
+ self.client_cert = client_cert
#: ``spdk_path`` path to SPDK
self.spdk_path = spdk_path or '/usr/local/bin/nvmf_tgt'
#: ``tgt_path`` nvmeof target path
raise SpecValidationError('Cannot add NVMEOF: No Pool specified')
if self.enable_auth:
- if not any([self.server_key, self.server_cert, self.client_key, self.client_cert]):
+ if not all([self.server_key, self.server_cert, self.client_key, self.client_cert]):
raise SpecValidationError(
'enable_auth is true but client/server certificates are missing')
projects / ceph.git / commitdiff